Origin — the UKUSA Agreement
The 14 Eyes is the contemporary name for an intelligence-sharing community whose roots trace back to the UKUSA Agreement of 1946. UKUSA was a signals-intelligence cooperation pact between the United States and the United Kingdom, formalised in the immediate post-WWII period when both countries had built large signals-intelligence apparatuses and saw value in continuing to coordinate them. The full text of the UKUSA Agreement was declassified by the NSA in 2010 and is publicly available through the NSA's UKUSA archive.
Canada, Australia and New Zealand were brought into the UKUSA framework in the years following 1946, expanding it to a five-member alliance. This is the original Five Eyes. The five-member structure has remained the core of the alliance ever since; later expansions (to Nine Eyes, then 14 Eyes) are looser cooperative arrangements layered on top, not extensions of the underlying treaty.
The Snowden disclosures of 2013–2014 are the most detailed public record of how the alliance actually operates. Wikipedia's Five Eyes article and The Intercept's coverage of the UKUSA documents are reasonable starting points; the primary documents are accessible through several archives.
The expansion to Nine and 14
Five Eyes (the UKUSA core) expanded to Nine Eyes during the Cold War with the addition of Denmark, France, the Netherlands and Norway. These four are not full UKUSA signatories but participate in specific coordinated programs — particularly signals intelligence on adversary states. The cooperation is real but procedurally narrower than the UKUSA core.
14 Eyes adds Germany, Belgium, Italy, Spain and Sweden to the Nine Eyes. The 14 Eyes designation is sometimes called "SIGINT Seniors Europe" (SSEUR) — it is a working-group structure for European signals-intelligence sharing rather than a treaty-grade alliance. Member agencies meet regularly, exchange selected intelligence products, and coordinate certain operations, but the legal framework is less coercive than the UKUSA core.
Beyond 14 Eyes there are documented working relationships with Israel, Singapore, South Korea, Japan and a small number of other states. These are sometimes called "Eyes adjacent" or "third-party partners" but do not have a formal collective name in public sources.
The full 14-member list
Five Eyes (UKUSA core): United States, United Kingdom, Canada, Australia, New Zealand.
Nine Eyes (Five Eyes + four): adds Denmark, France, the Netherlands, Norway.
14 Eyes (Nine Eyes + five): adds Germany, Belgium, Italy, Spain, Sweden.
When privacy-focused hosting describes itself as "outside 14 Eyes" it means the hosting infrastructure (and ideally the corporate parent) is in a country not on this list of fourteen. Iceland, Switzerland, Romania, Saint Kitts and Nevis, Cyprus, Bulgaria, the Cayman Islands, Malaysia, Hong Kong (with caveats), and a handful of others are the common picks.
The five jurisdictions we operate in (Iceland, Switzerland, Romania, Netherlands, Saint Kitts) include one 14 Eyes member (the Netherlands). We are explicit about this: the Netherlands is a 14 Eyes member, and customers who specifically want to be outside the alliance should pick Iceland, Switzerland or Saint Kitts and Nevis instead. The Netherlands offers compensating advantages (best Western European latency, AMS-IX peering reach) that make it the right pick for some workloads despite the alliance membership.
What members can and cannot share by treaty
Within the UKUSA core (Five Eyes), the formal arrangement is "no collection on each other's citizens by each other's agencies, but unrestricted sharing of collection on third parties." The practical effect is that NSA collection on UK citizens is theoretically restricted; UK collection on US citizens is theoretically restricted; but if NSA collects on French citizens, sharing that intelligence with GCHQ requires no additional process. The Snowden documents demonstrate that the formal restriction has been worked around historically (NSA asking GCHQ to surveil US citizens and vice versa), but the formal posture remains.
Within Nine and 14 Eyes, the sharing is narrower and more procedural. Specific intelligence products are exchanged through specific liaison channels; bulk metadata sharing analogous to the Five Eyes "FIVE EYES" tags is not the default. The German BND, French DGSE and Italian AISE participate in specific cooperative programs but maintain operationally distinct collection systems.
What the alliance does NOT include, in either the Five Eyes core or the wider 14: a court system that compels member states to act on each other's warrants, a unified surveillance regime, or a treaty obligation to monitor specific targets. It is an intelligence-sharing community, not a coordinated law-enforcement apparatus. National laws still apply within each member state.
Implications for hosting customers
For hosting purposes, 14 Eyes membership matters most for two scenarios: (1) you are a high-value intelligence target whose communications are likely subject to bulk collection, or (2) you are concerned about a foreign intelligence service compelling your host to act through diplomatic-or-intelligence channels rather than judicial process.
For scenario 1, hosting outside 14 Eyes adds a layer of friction but is not a complete defence. A target of US national-security interest is likely to have their backbone traffic collected wherever it transits, and most internet traffic transits at least one 14 Eyes member en route between continents. Hosting in Iceland helps; it does not create immunity.
For scenario 2, the question is more concrete. If a foreign intelligence service wants your host to log specific traffic, the path is generally to ask the host's domestic intelligence agency to make the request. Within 14 Eyes, that request can ride on existing cooperative channels and is more likely to be granted. Outside 14 Eyes (Iceland, Switzerland, Saint Kitts), the request has to proceed through more formal diplomatic channels, which is slower and more visible.
For ordinary privacy-conscious customers (journalists, activists, privacy-tool maintainers, self-hosters), the practical effect of choosing outside-14-Eyes is moderate but real. The host is less likely to receive informal pressure; the host's domestic legal system is the binding constraint. ProtonMail's explainer on the alliance is a useful read for the consumer-privacy framing.
How offshore hosts position themselves around 14 Eyes
The marketing pattern is consistent: hosts in Iceland, Switzerland, Romania (sometimes), and the Caribbean lean heavily on "outside 14 Eyes" as a selling point. Hosts in the Netherlands, Germany or France downplay the alliance question and emphasise other advantages (peering, latency, EU GDPR posture). Both positionings are valid; what matters is that the customer understands the trade-off.
The trade-off is roughly: 14 Eyes members typically have better network reach (the alliance correlates with major internet exchange points and tier-1 transit hubs) and stronger civil legal frameworks (rule-of-law indices put most 14 Eyes members in the top quartile globally), but offer marginally less protection from intelligence-channel pressure. Outside-14-Eyes jurisdictions trade some network reach and (sometimes) some legal-framework strength for less alliance exposure.
The right choice depends on what you optimise for. For Tor exit relays serving sensitive traffic, outside-14-Eyes (Iceland, Switzerland) is the clear pick. For game servers serving Western European users, inside-14-Eyes Netherlands wins on latency by a wide enough margin to justify the trade-off. For a personal blog, the alliance question is a small factor among many.
The "Eyes adjacent" community
Several countries cooperate with 14 Eyes through bilateral arrangements without being formal members. The most extensively documented are Israel (very close cooperation with NSA, including bulk-data sharing per Snowden disclosures), Japan (intelligence cooperation via the Japan-US security treaty), Singapore (key node for Asia-Pacific signals collection), and South Korea. These are sometimes called "third-party partners" or "Eyes adjacent."
For hosting purposes, customers who specifically care about Five/14 Eyes exposure should also weigh these adjacent relationships. Singapore in particular is a major data-center hub for Asia-Pacific operations, and its close cooperation with US intelligence is documented. A Singapore-hosted server is not technically inside 14 Eyes but is plausibly within the same intelligence-sharing community for practical purposes.
Iceland, Switzerland, Saint Kitts, the Cayman Islands, and Romania (despite EU membership) are the most reliably outside both the formal alliance and the broader cooperative community.
Conclusão
14 Eyes is real, documented, and matters for specific threat models — but it is not a binary kill-switch on hosting privacy. It is one factor in a broader analysis that includes the host's corporate jurisdiction, the operating jurisdiction's domestic law, the network path of traffic in transit, and the customer's specific threat model.
For maximum alliance distance, pick a host whose corporate parent and operating infrastructure are both outside the 14 (Iceland, Switzerland, Saint Kitts, Cayman). For balanced hosting that trades some alliance distance for network reach and EU legal framework, the Netherlands or Romania are reasonable picks despite Dutch 14-Eyes membership and Romanian EU membership.
And as with all privacy infrastructure choices: the alliance question is one input among many. A host that is outside 14 Eyes but logs everything is worse than a host inside 14 Eyes with no logs. Optimise the full stack, not a single dimension.
